이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 6. Directory Server in Red Hat Enterprise Linux
Directory Server no longer logs false positive error messages
Previously, in a Directory Server multi-master replication environment, the
Failed to update RUV for unknown
error message was logged multiple times when only the replica update vector (RUV) was updated without any change. This update fixes the problem and now Directory Server no longer logs the error message. (BZ#1266920)
In FIPS mode, the slapd_pk11_getInternalKeySlot()
function is now used to retrieve the key slot for a token
The Red Hat Directory Server previously tried to retrieve the key slot from a fixed token name, when FIPS mode was enabled on the security database. However, the token name can change. If the key slot is not found, Directory Server is unable to decode the replication manager's password and replication sessions fail. To fix the problem, the
slapd_pk11_getInternalKeySlot()
function now uses FIPS mode to retrieve the current key slot. As a result, replication sessions using SSL
or STTARTTLS
no longer fail in the described situation. (BZ#1352109)
Directory Server now supports configuring weak DH parameters
The network security services (NSS) libraries, linked with the Red Hat Directory Server, require a minimum of 2048-bit Diffie-Hellman (DH) parameters. However, Java 1.6 and 1.7 supports only 1024-bit DH parameters. As a consequence, clients using these Java versions were unable to connect to Directory Server using encrypted connections. This update adds the
allowWeakDHParam
parameter to the cn=encryption,cn=config
entry. As a result, if this parameter is enabled, affected clients can now connect using weak DH parameters. (BZ#1327065)
The cleanAllRUV
task no longer corrupts changelog back ends
At the end of the
cleanAllRUV
task, Directory Server removes entries from the replication changelog that contain the cleaned replica ID. Previously, the task incorrectly ran all changelog back ends instead of only the one set in the task. As a consequence, if multiple back ends contained the same replica ID, the cleanAllRUV
task corrupted them. This update fixes the problem and now the cleanAllRUV
task works correctly. (BZ#1369572)
Reindexing the retro
changelog no longer fails
Previously, the
retrocl-plugin
sets a lock in read mode on the changelog back end without releasing it. This could result in a deadlock situation. For example, an index task executed by the db2index.pl
script on the retro
changelog back end became unresponsive when a lock in write mode was set. This update applies a patch and as a result, reindexing the retro
changelog no longer fails. (BZ#1370145)
Directory Server no longer fails when disabling the CLEAR
password storage scheme plug-in
Previously, Directory Server required that the
CLEAR
password storage plug-in was enabled when setting userPassword
attributes. As a consequence, Directory Server terminated unexpectedly when attempting to set userPassword
attributes, if CLEAR
was disabled. This update applies a patch and as a result, Directory Server no longer fails in the described situation. (BZ#1371678)
Directory Server no longer terminates unexpectedly when using server side sorting
Previously, when using a matching rule and server side sorting, Directory Server incorrectly frees memory multiple times and terminates unexpectedly. This update fixes the bug, and as a result Directory Server no longer fails when using server side sorting. (BZ#1371706)
Directory Server now validates macros in ACIs
Previously, the Red Hat Directory Server did not validate macros in an access control instruction (ACI). As a result, users were able to set incorrect macros in an ACI. This update improves the code underlying validation, and Directory Server rejects invalid macros and logs an error. (BZ#1382386)
Replication monitor now shows the correct date
On the replication monitor, the year of the date was not displayed in the header when the value of the
day
field was less than 10. The code now uses the correct API, and the year is displayed correctly. (BZ#1410645)
The memberOf
fix-up task now verifies arguments
Previously, if an invalid filter or
basedn
parameter was provided in the memberOf
fix-up task, and the task failed, no information was logged. A patch has been applied and now, if a problem occurs, an error is logged and the task status is updated. As a result, the administrator is now able to identify if a task failed. (BZ#1406835)
Directory Server no longer terminates unexpectedly when deleting a non-existent attribute
Previously, deleting a non-existent attribute from the back end configuration caused Directory Server to terminate unexpectedly. This update applies a patch to pass a
NULL
value to the ldbm_config_set()
function if no attribute was deleted. As a result, Directory Server now rejects the operation in the described scenario. (BZ#1403754)
Directory Server no longer displays multiple error messages when importing fails
Previously, if importing data failed, multiple
Unable to flush
error message were be displayed, because the connection to the database was not closed. This update applies a patch and as a result, Directory Server no longer displays multiple errors in the mentioned situation. (BZ#1402012)
Virtual list view-related problems have been fixed
Previously, when removing a virtual list view (VLV) index, the
dblayer_erase_index_file_nolock()
function was not called. Thus, the physical index file and the back pointer set to the dblayer
handle were not removed. Consequently, Directory Server terminated unexpectedly. This fix updates the code and the dblayer_erase_index_file_nolock()
function is now called when removing a VLV index.
In addition, the
vlv_init()
function previously could be called multiple times without unregistering VLV plug-in callbacks. As a consequence, Directory Server sometimes terminated unexpectedly. With this update, callbacks are now unregistered.
As a result, Directory Server no longer terminates unexpectedly in the described situations. (BZ#1399600)
Directory Server no longer logs sensitive information
Previously, when the
Trace function calls
option was enabled in the nsslapd-errorlog-level
parameter, Directory Server logged all attributes into the error log file, including attributes containing sensitive information. A patch has been applied to filter out values of sensitive attributes. As a result, Directory Server no longer logs sensitive information. (BZ#1387772)
Group ACIs are now correctly evaluated
Previously, if the number of members in a group in an access control instruction (ACI) exceeded the size limit of the result of the query, Directory Server incorrectly denied access. To fix the problem, the server size limit is no longer applied to the ACI group evaluation, and queries now operate correctly. (BZ#1387022)